Evan Schuman: Is MasterCard's fraud program just another data grab?

Marketing executives salivate at the thought of being able to track shoppers via their mobile devices. The only problem: How to get consumers to sign on to that? MasterCard might have the answer. By spinning it as a global payment convenience, MasterCard has put a happy face on a major potential information grab.

Here's the deal. MasterCard and its partner Syniverse, a global mobile telecom firm, want you to opt in to let them track your mobile geolocation data. MasterCard says that cardholders who opt in and then travel to other countries will have fewer transactions denied. You see, cardholders are supposed to call their issuer before leaving the country so that their itineraries can be fed to the issuer's antifraud systems. When the cardholders don't do that, they are more likely to have their purchases denied.

So, says MasterCard, let's make this easier for everyone. Just register your phone with us, and then when a transaction request for you comes in from, say, Greece, our system will be able to check to see if your phone is in Greece too. If it is, the transaction is more likely to go through.

The news release announcing a trial of this program said that "mobile geolocation can deliver payment security." That is not precisely true, in the sense that it is completely false. The way this program is being set up, mobile geolocation data will tell MasterCard that your phone is in the same country where someone is trying to use your card to make a purchase. If anything, the program loosens the fraud controls for the convenience of cardholders. But just think how easy it would be to subvert that. If your MasterCard were stolen at Giza and then used to buy a high-res TV in Cairo, MasterCard's new geolocation effort would take a look and decide everything must be fine, because your phone is in Egypt.

You see, the MasterCard trial doesn't, for example, react to a transaction being processed at a retailer on Via dei Calzaiuoli in Florence by checking to see if the cardholder's mobile phone is also on Via dei Calzaiuoli. The technology exists to do so, but MasterCard won't be doing it, at least not as currently planned. Executives with MasterCard and Syniverse said the system is not going to dig beyond country level. (Though even that will be in a rather haphazard manner. MasterCard and Syniverse might note your arrival in Italy, then not check again when your card gets swiped on Via dei Calzaiuoli. Meanwhile, you may have turned your phone off and flown on to Spain. MasterCard won't know that.) Although country level is better than nothing, it doesn't have nearly the fraud-prevention potential of a more specific ping. "All we care about is whether the consumer has changed the country where they are visiting," said James Davlouros, MasterCard's vice president of global strategic alliances.

But even if MasterCard were narrowing your phone's location down to a city, a neighborhood or a specific street, this isn't a foolproof approach. Say that you keep both your MasterCard and your phone in a purse or a backpack and then that purse or backpack is stolen. There go your credit card and your phone, always together in the shops the thief visits.

After talking in their Mobile World Congress press release about how this service would "enhance peace of mind for mobile users when they are traveling abroad," MasterCard and Syniverse eventually made a point that might explain what really lies behind this initiative: "Mobile network operators and brands can also benefit from the collaboration between MasterCard and Syniverse. In the future, they could implement targeted offers, which will be made more relevant by knowing the location of a mobile device, for example in close proximity to a retail store. A research report for Syniverse from economists at SEEC uncovered a market valued of as much as $44 billion for operators providing services to brands based on opted-in mobile subscribers' information, behavior and location -- known as mobile context."

So, yes, back to that question of how to get consumers to opt in. In this regard, MasterCard and Syniverse have some work to do. They have yet to agree on a privacy policy, according to Davlouros and Syniverse chief marketing officer Mary Clark. In other words, they haven't figured out what they want consumers to sign away.

Will the data only be used for authentication? Can marketing see where shoppers are going? Can special offers be texted to shoppers based on those movement patterns? Will the data only be used aggregated and anonymously? And do third parties get to see those aggregated -- and perhaps not aggregated -- patterns?

I don't think it bodes well for users' privacy when companies proceed to a trial without answering any of those questions. When geolocation is involved, privacy can't be treated as an afterthought. My cynical side wants to say that these execs know exactly how far they want to go, but they're not ready to say. Why announce it when a little-read, small-type privacy policy can do it instead?

To be fair, what the two partners are trying to do is extremely complicated. They need to coordinate information as consumers bounce from one carrier to another in various countries, as well as disappear entirely while in flight. Not every store or street in every country has consistently reliable wireless access, whether Wi-Fi or over-the-air. And although the goal is to have agreements with as many carriers and related companies as possible, it's going to take some time to get there, and in the meantime, the telecom patchwork will have many holes in it. Another issue is that legal standards differ from country to country and province to province. "Different countries have different regulations about privacy," MasterCard's Davlouros said.

Nonetheless, when MasterCard and Syniverse roll this program out in its final form, they will have to have crafted a privacy policy. That policy will reveal what limits they choose to set for themselves. The frightening question is this: Will any of their customers bother to read it?

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile/WirelessNetworkingsecuritywirelessmobileprivacy

More about MastercardSEECTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts